CookieMonster: Not As Sweet As It Sounds!

Websites used for email, banking, e-commerce and other sensitive applications just got even less secure with the release of a new tool that siphons users' authentication credentials – even when they're sent through supposedly secure channels.

Dubbed CookieMonster, the toolkit is used in a variety of man-in-the-middle scenarios to trick a victim's browser into turning over the authentication cookies used to gain access to user account sections of a website. Unlike an attack method known as sidejacking, it works with vulnerable websites even when a user's browsing session is encrypted from start to finish using the secure sockets layer (SSL) protocol.

I don't really get the tecchy stuff, but in short, there is a new way for nasty hacker types to get hold of our private information, especially when we're using less secure public networks, such as free wifi at the local net café. They suggest the following method to determine whether the website you are using is vulnerable to attack:

To find out if your bank is susceptible, clear all cookies and then log in to the site. Next, clear all cookies marked as “SECURE” (in Firefox, go to preferences > privacy > show cookies. Delete only the cookies marked as “Encrypted connections only”). Then visit the site again. If you're logged in, there's a strong chance the site is wide open.